When I was setting up ERM for Business Objects S.A., I was surprised by the reaction of the General Counsel, David.
I had already met with the CEO and his other direct reports. Now David and I were meeting so I could get his insights on the more significant sources of risk to the company and its objectives.
“I’m not going to answer your questions about risk.”
I was shocked and asked him why, since both the board and his boss, the CEO, wanted this done.
Even though I told him that his insights were critical, he politely but firmly told me he would not share what he thought the likelihoods were of each of the events and situations most likely to cause a significant problem for Business Objects.
He went further, saying he would not provide any assessment of risk relating to legal actions by or against the company that would be documented by me.
David believed, with some justification, that documenting his (and the company’s) assessment of risks could itself create an unacceptable level of risk.
Why is there danger in risk assessment? (Beyond the risk of getting the risk assessment wrong, leading to bad business decisions, as discussed in my last post.)
Consider safety risk: the possibility that an individual might sustain serious harm while on our premises or when using our products. The company may…